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Abstract 

This note illustrates theoretical worst-case scenarios for groundness analyses obtained 
through abstract interpretation over the abstract domains of definite (Def) and positive 
(Pos) Boolean functions. For Def, an example is given for which any Def-based abstract 
interpretation for groundness analysis follows a chain which is exponential in the number 
of argument positions as well as in the number of clauses but sub-exponential in the size 
of the program. For Pos, we strengthen a previous result by illustrating an example for 
which any Pos-based abstract interpretation for groundness analysis follows a chain which 
is exponential in the size of the program. It remains an open problem to determine if the 
worst case for Def is really as bad as that for Pos. 



1 Introduction 

Boolean functions play an important role in various formal methods for specifica- 
tion, verification and analysis of software systems. In program analysis, Boolean 
functions are often used to approximate properties of the set of states encountered 
at a given program point. For example, a conjunction x A y could specify that 
variables x and y satisfy some property whenever control reaches a given program 
point. A Boolean function tpi — > tp2 could specify that if tpi is satisfied at a program 
point (perhaps depending on the unknown inputs to the program) then also tp2 is 
satisfied. A disjunction tpi V tp2 could arise as a consequence of a branch in the 
control where tpi and ip2 approximate properties of the then and else branches 
respectively. 

For program analysis using Boolean functions, we often consider the positive 
Boolean functions, Pos. Namely, those for which /(1,...,1) = 1 (denoting false 
and true by and 1 respectively). This restriction is natural as, due to the el- 
ement of approximation, the result of an analysis is not a "yes/no" answer, but 



2 



Samir Genaim, Jacob M. Howe and Michael Codish 



rather a ll yes/maybe not" answer. In this case there is no "negative" informa- 
tion. Sophisticated Pos-based analyzers implemented using binary decision dia- 
grams ( |Bryant, 1992| ) have been shown | |Van Hentenryck et al, 1995| ) to give good 
experimental results with regards to precision as well as the efficiency of the analyz- 
ers. However, scalability is a problem and inputs (programs) for which the analysis 
requires an exponential number of iterations or exponentially large data structures 
are encountered ( |Codish, 1999| ). 

The domain, Def, of definite Boolean functions is a subdomain of Pos. These 
are the positive functions whose sets of models are closed under intersection. The 
domain Def is less expressive than Pos. For example, the formula x V y is not in 
Def. However, Def-based analyzers can be implemented using less complex data 
structures and can be faster than Pos-based analyzers. For goal dependent ground- 
ness analyses (where a description of the inputs to the program being analyzed is 
given) Def has been shown to provide a reasonable tradeoff between efficiency and 
precision QKing et al, 1999| |Howe fc King, 20000 . 

The work described in (Codis h^ 1999| ) illustrates a series of pathological inputs 
for Pos-based groundness analysis. That paper defines a predicate chain{x\, . . . , x n ) 
using n clauses and illustrates that its Pos-based groundness analysis requires 2™ 
iterations. However, given that the size of the program (the total number of argu- 
ments), is quadratic in n (to = n 2 +ri), the number of iterations is sub-exponential in 
the size of the input (2™ or 2°( v/ ™)). It has been suggested that Def analyses might 
provide better scalability properties than Pos due to the restriction to functions 
whose models are closed under intersection. This note makes two contributions: 

1. It demonstrates that the worst-case behavior of a Def-based analysis is (at 
least) as bad as that described in ( |Codish, 1999| ) for Pos-based analyses; and 

2. It demonstrates that the worst-case behavior of a Pos-based analysis is expo- 
nential in the size of the input. 

We have not succeeded to demonstrate a worst-case analysis for Def for which the 
number of iterations is exponential in the size of the input, nor to prove that Def- 
based groundness analysis has sub-exponential worst-case behaviour. This remains 
an open problem. 

2 A potential worst-case for Def 

Consider an n-ary Boolean function /. A model M of / can be viewed as a se- 
quence (£>i, . . . , b n ) of zero's and one's such that /(6i, . . . , b n ) — 1. For the sake 
of our construction, we order n-ary models according to their value as n-digit bi- 
nary numbers. So a model M\ is smaller or equal to a model if and only 
if the binary number corresponding to M\ is less or equal to the binary num- 
ber corresponding to M^. The intersection of models is defined as usual so that 
(ai, . . . , a n ) fl (&i, . . . , b n ) = (ci, . . . , c n ) where c, = 1 if and only if a, = &, = 1. 

Let us first comment on the series of programs which demonstrates the potential 
worst-case behavior of a Pos-based groundness analysis ( |Codish, 1999| ). The analy- 
sis of the predicate chain /n enumerates the models of the (constant) n-ary Boolean 
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function 1 (true) in reverse order. Starting from the initial approximation (which 
has no models), each consecutive approximation is a function which has one new 
model that was not in the previous iteration. For example, when n = 3, the mod- 
els accumulate in the following order: (1, 1, 1), (1, 1, 0), (1, 0, 1), (1, 0, 0), ... , (0, 0, 0) 
and the Pos-based analysis totals 8 iterations. In contrast the corresponding Def- 
based analysis totals 4 iterations because at each iteration the current set of mod- 
els is closed under intersection. So for example, in the third iteration, the set 



{(1, 1, 1), (1, 1, 0), (1, 0, 1)} is closed to give {(1, 1, 1), (1, 1, 0), (1, 0, 1), (1, 0, 0)}. 



We now construct a series of programs which demonstrates the potential worst- 
case behavior of a Def-based groundness analysis. This construction is based on the 
following observation: 

Proposition 2.1 

Let M be an n-ary model. Then the set of n-ary models smaller or equal to M is 
closed under intersection. 

Proof 

The result follows from the following observation: If M\ and M2 are n-ary models, 
then M\C\Mi is no larger than M\ (and no larger than M2). This is because M\C\M2 
is obtained from Mi (or from M2) by changing some one's to zero's. □ 

A consequence of Proposition 12.11 is that the domain of definite Boolean func- 
tions over n variables contains a chain of length 2™. To demonstrate such a chain 
consider an enumeration Mo, . . . , M2»-i of the n-ary models according to their bi- 
nary ordering (so M = (0, . . . , 0) and M 2 ™-i = (1, . . . , 1)). Observe that Mi is the 
n-ary binary representation of i. Define a sequence F = (/o, . . . , /2™-i) as follows: 
let /o be the Boolean function with the empty set of models and for < i < 2" — 1 
define fi to be the Boolean function whose models are {Mo, . . . , M^_i} U {M2n_i}. 
^From the construction it is clear that F forms a chain. Moreover, the elements of 
F are in Def: They are positive because they have M^-x as a model; and from 
Proposition ^. II it follows that they are closed under intersection. The chain F is 
of length 2™ — 1 because, for 1 < i < 2 n — 1 fi has exactly one model more than 
fi—i- This is the setting for our construction. 

The (Def-based) groundness analysis of the following predicate u p/n" iterates 
through the chain F. The arguments typeset in boldface highlight the case for 
n = 4. The program size is quadratic in n and consists of a single predicate of arity 
n with n+ 1 binary clauses. The analysis of the program can be viewed as counting 
from zero to 2" — 2 in its arguments. 
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3 A Challenge 

The Def- and Pos-based groundness analyses of the predicate p/n program in the 
series given in this note involve an exponential number of iterations and compute 
an n-ary Boolean function. The same is true for the Pos-based analysis of the 
series given in ( |Codish, 1999| ). However, it is important to note that complexity 
is typically expressed in terms of the size of the input to a problem and that the 
size of the program defining p/n in both series is quadratic in n (m = n 2 + n). 
Hence, formally speaking, we have shown that both Def and Pos-based groundness 
analyses may potentially involve a number of iterations which is 2°' v/ ™). This is 
bad enough, but sub-exponential. 

For Pos, we can strengthen the result. The following program is of size linear in 
n (m = 11 • n) and its Pos-based groundness analysis requires 2" — 2 iterations. 

p(X 1 ,...,X 1 ). 

p(Ai,...,A„) <- p(Bi,...,B„), s(A u ...,A n , Bi,...,B n ). 
s(c ,Xi, . . . ,Xi, Xi,c ,...,c ). 

s(W, J 4i,...,A n _i, W,B 1 ,...,B n - 1 ) <- s(A u ...,A n , B u ...,B n ). 

Intuitively, the 2n arguments of the predicate s/2n represent two n-digit binary 
numbers (the first is the successor of the second) so that the n recursive clauses 
from the program in Section [21 can be simulated by two clauses for s/2n. The base 
case of s/2n corresponds to the last recursive clause. However, the analysis of s/2n 
does not follow an exponential chain so we still need the predicate p/n to get the 
worst-case behaviour. This approach does not work for Def because the result in 
Pos for s/2n is not closed under intersection. 

4 Conclusion 

We have demonstrated a 2°( m ) worst case complexity for Pos and at least 2°^ %/ ™) 
for Def (where m is the size of the program). It remains to be determined if the worst 
case for Def is really as bad as that for Pos or perhaps Def has better worst-case 
behaviour. 

Theorem 4.1 

Groundness analysis using Def has a potcntional worst-case behaviour involving 
20(,/m) iterations, where m is the size of the program. 

Theorem 4-2 

Groundness analysis using Pos has a worst-case behaviour involving 2°( m ) itera- 
tions, where m is the size of the program. 
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